雖然新法案尚未實施，但幾家大科技公司已經敲響警鐘，因為新法案可能迫使企業按政府的要求破解智能手機等加密設備。

本周二，代表微軟、谷歌、亞馬遜、貝寶和Facebook等公司的四個團體起草了一封公開信，收信人是參議院情報委員會主席理查德?伯爾（北卡羅來納州共和黨參議員）和副主席黛安娜?范斯坦（加利福尼亞州民主黨參議員）。兩人上周公布的新議案草案引起了爭議。科技行業團體表示，如果實施，新法案會導致“政府強制的安全漏洞”，本質上就是要求科技公司為政府開發破解軟件。

就在新加密法案宣布前，蘋果公司上個月剛剛跟聯邦調查局進行了一次激烈對抗，雙方爭執的焦點是執法部門要求蘋果解鎖圣伯納迪諾槍擊案嫌疑人賽義德?瑞茲萬?法魯克使用的iPhone，而蘋果堅決拒絕。后來FBI得到第三方的幫助，與蘋果的論戰遂被擱置一旁。但關于能否強迫科技公司幫助破解用戶設備獲取加密信息的爭論并未停息。

蘋果的最新透明度報告顯示，去年在多數情況下確實都為執法部門提供了幫助。11%的情況下蘋果拒絕了政府的要求，但在80%的情況下都提供了相應數據。科技公司指出，新法案的不同之處在于可以迫使軟件工程師削弱安全系統，變得更容易破解，因為該法案規定在刑事案件中，如果科技公司拒不破解相關設備上的模糊加密數據，則可視為違法。

路透社報道，按照這項法案，在涉及死亡、重傷、毒品、對兒童犯罪以及外國情報部門活動的刑事案件中，企業有責任按法院的要求交出加密數據。

上周提出草案后，伯爾和范斯坦目前正在征詢意見，隨后將正式提交參議院審議。

以下是公開信的內容：

親愛的伯爾主席和范斯坦副主席：

我們寫這封信的目的是為了表達我們對加密相關政策的深切關注。政策的初衷很好，但行不通。如果新法案得以施行，我們亟需的防護手段會遭到削弱，無法再抵抗那些意圖造成經濟損失和人身傷害的人。我們相信，對美國乃至全世界的IT基礎設施安全來說，避免出現因政府強制執行而出現的安全漏洞很關鍵。

我們的成員公司都是通過創新推動數字經濟獲得成功并保持增長，我們都認同用戶的人身安全及其最私密信息的安全需要保護。為了同時服務兩方面，我們會遵循兩項基本原則。首先，司法程序要求時我們會立刻響應，對政府部門在數據方面的緊急要求也會迅速處理。其次，我們的系統和產品設計包含了許多基于網絡和設備的特性，包括但不限于強大的加密功能。加密的目的是保證用戶的數字安全不會受到罪犯以及政府的威脅。

任何強制性破解要求，比如你們在此項法案的征求意見稿中授權的行為，都會帶來意料之外的結果。面對這樣的要求，企業將被迫把政府獲取數據放在其他考量因素之上，包括數字安全。由此產生的結果是，科技公司在設計產品和服務時可能被迫妥協，為用心不良之人提供可乘之機，我們一直在竭力阻止入侵者傷害顧客的利益，但妥協之后將無能為力。此項法案將迫使數字通信和存儲服務供應商按照法院的要求確保政府以“清楚明白”的方式獲得數據。這樣的授權意味著企業和用戶使用加密技術時，必須預留允許某些第三方獲得數據的潛在渠道，但用心不良之人也可以利用這個渠道實施破解。

另一點要銘記的在于，此類技術性授權并未考慮當今技術已全球一體化的特征。舉例來說，獲取數據的要求絕不會僅限于美國執法部門，如果美國政府可以提出要求，其他國家也一定會效仿。此外，美國并未壟斷這些安全措施。國會是通過了數據安全方面的法案限制數據使用，但只是限制，并沒有阻止使用。這樣做只會把用戶推向美國之外的公司，削弱美國科技行業的全球競爭力，并導致越來越多的數據存儲在其他國家。

我們堅決支持執法部門為確保偵破犯罪案件，掌握防范恐怖主義和保護公眾所需的法律權力、資源以及相應的訓練。然而，必須在協助執法部門和保護消費者的安全以及數字信息之間仔細權衡。我們已經準備好，也十分愿意就如何在兩者之間取得平衡展開對話，但我們仍然擔心，一旦把某個方面的安全置于其他所有領域之上，會對網絡安全以及消費者的安全產生難以預料的負面影響。（財富中文網）

簽名，

政府監控改革組織

計算機與通信行業協會

互聯網基礎設施聯盟

娛樂軟件協會

譯者：Charlie

審校：夏林

It’s not up for adoption yet, but already major tech companies are sounding the alarm about a new bill that could pressure companies to bust into encrypted devices like smartphones when asked to do so by the government.

On Tuesday four groups representing companies such as Microsoft MSFT -1.42% , Google GOOGL -0.21% , Amazon AMZN 0.81% , Paypal PYPL 2.14% , and Facebook FB 0.12% drafted an open letter to Senate intelligence committee chairs Richard Burr (R-N.C.) and Dianne Feinstein (D-Calif.), who released their new draft of the controversial bill last week. The tech groups say if adopted, the new law would create “government-mandated security vulnerabilities,” essentially requiring tech companies to build hackable software for the government.

The new encryption bill comes on the heels of Apple’s AAPL 0.17% big fight with the FBI last month over whether the company could be forced to help law enforcement crack into an encrypted iPhone used by San Bernardino shooter Syed Rizwan Farook. That fight was pushed aside when the FBI got help from a third party, but the debate over whether tech companies should be forced to help crack into other encrypted information on user devices wages on.

Apple’s latest transparency report suggests the company did help law enforcement in a majority of cases last year, objecting to 11% of law enforcement requests, while providing data in 80% of cases. But the difference with the new law, the companies say, is it could force software engineers to make security systems weaker and more hackable because it would make it illegal for companies to bow out of decoding unintelligible, encrypted data on devices in criminal cases.

Under the new bill, companies would be responsible for turning over encrypted data if demanded by court order in criminal cases that involve death, serious injury, drug offenses, child victims, or foreign intelligence operations, Reuters reported.

Burr and Feinstein are now soliciting input on the bill, introduced as a draft last week, before formally introducing it for adoption in the Senate.

Here’s the letter to the senators:

Dear Chairman Burr and Vice-Chairman Feinstein:

We write to express our deep concerns about well-intentioned but ultimately unworkable policies around encryption that would weaken the very defenses we need to protect us from people who want to cause economic and physical harm. We believe it is critical to the safety of the nation’s, and the world’s, information technology infrastructure for us all to avoid actions that will create government-mandated security vulnerabilities in our encryption systems.

As member companies whose innovations help to drive the success and growth of the digital economy, we understand the need to protect our users’ physical safety and the safety of their most private information. To serve both these interests, we adhere to two basic principles. First, we respond expeditiously to legal process and emergency requests for data from government agencies. Second, we design our systems and devices to include a variety of network- and device-based features, including but not limited to strong encryption. We do these things to protect users’ digital security in the face of threats from both criminals and governments.

Any mandatory decryption requirement, such as that included in the discussion draft of the bill that you authored, will to lead to unintended consequences. The effect of such a requirement will force companies to prioritize government access over other considerations, including digital security. As a result, when designing products or services, technology companies could be forced to make decisions that would create opportunities for exploitation by bad actors seeking to harm our customers and whom we all want to stop. The bill would force those providing digital communication and storage to ensure that digital data can be obtained in “intelligible” form by the government, pursuant to a court order. This mandate would mean that when a company or user has decided to use some encryption technologies, those technologies will have to be built to allow some third party to potentially have access. This access could, in turn, be exploited by bad actors.

It is also important to remember that such a technological mandate fails to account for the global nature of today’s technology. For example, no accessibility requirement can be limited to U.S. law enforcement; once it is required by the U.S., other governments will surely follow. In addition, the U.S. has no monopoly on these security measures. A law passed by Congress trying to restrict the use of data security measures will not prevent their use. It will only serve to push users to non-U.S. companies, in turn undermining the global competitiveness of the technology industry in the U.S. and resulting in more and more data being stored in other countries.

We support making sure that law enforcement has the legal authorities, resources, and training it needs to solve crime, prevent terrorism, and protect the public. However, those things must be carefully balanced to preserve our customers’ security and digital information. We are ready and willing to engage in dialogue about how to strike that balance, but remain concerned about efforts to prioritize one type of security over all others in a way that leads to unintended, negative consequences for the safety of our networks and our customers

Signed,

Reform Government Surveillance

Computer & Communications Industry Association

Internet Infrastructure Coalition (I2C)

The Entertainment Software Association